Ayuriel/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
openclaw/extensions/feishu/src/config-schema.test.ts
Vincent Koc 7844bc89a1
Security: require Feishu webhook encrypt key (#44087) 
* Feishu: require webhook encrypt key in schema

* Feishu: cover encrypt key webhook validation

* Feishu: enforce encrypt key at startup

* Feishu: add webhook forgery regression test

* Feishu: collect encrypt key during onboarding

* Docs: require Feishu webhook encrypt key

* Changelog: note Feishu webhook hardening

* Docs: clarify Feishu encrypt key screenshot

* Feishu: treat webhook encrypt key as secret input

* Feishu: resolve encrypt key only in webhook mode
2026-03-12 11:01:00 -04:00

258 lines
7.5 KiB
TypeScript
Raw Blame History

import { describe, expect, it } from "vitest";
import { FeishuConfigSchema, FeishuGroupSchema } from "./config-schema.js";
describe("FeishuConfigSchema webhook validation", () => {
it("applies top-level defaults", () => {
const result = FeishuConfigSchema.parse({});
expect(result.domain).toBe("feishu");
expect(result.connectionMode).toBe("websocket");
expect(result.webhookPath).toBe("/feishu/events");
expect(result.dmPolicy).toBe("pairing");
expect(result.groupPolicy).toBe("allowlist");
expect(result.requireMention).toBe(true);
});
it("does not force top-level policy defaults into account config", () => {
const result = FeishuConfigSchema.parse({
accounts: {
main: {},
},
});
expect(result.accounts?.main?.dmPolicy).toBeUndefined();
expect(result.accounts?.main?.groupPolicy).toBeUndefined();
expect(result.accounts?.main?.requireMention).toBeUndefined();
});
it("normalizes legacy groupPolicy allowall to open", () => {
const result = FeishuConfigSchema.parse({
groupPolicy: "allowall",
});
expect(result.groupPolicy).toBe("open");
});
it("rejects top-level webhook mode without verificationToken", () => {
const result = FeishuConfigSchema.safeParse({
connectionMode: "webhook",
appId: "cli_top",
appSecret: "secret_top", // pragma: allowlist secret
});
expect(result.success).toBe(false);
if (!result.success) {
expect(
result.error.issues.some((issue) => issue.path.join(".") === "verificationToken"),
).toBe(true);
}
});
it("rejects top-level webhook mode without encryptKey", () => {
const result = FeishuConfigSchema.safeParse({
connectionMode: "webhook",
verificationToken: "token_top",
appId: "cli_top",
appSecret: "secret_top", // pragma: allowlist secret
});
expect(result.success).toBe(false);
if (!result.success) {
expect(result.error.issues.some((issue) => issue.path.join(".") === "encryptKey")).toBe(true);
}
});
it("accepts top-level webhook mode with verificationToken and encryptKey", () => {
const result = FeishuConfigSchema.safeParse({
connectionMode: "webhook",
verificationToken: "token_top",
encryptKey: "encrypt_top",
appId: "cli_top",
appSecret: "secret_top", // pragma: allowlist secret
});
expect(result.success).toBe(true);
});
it("rejects account webhook mode without verificationToken", () => {
const result = FeishuConfigSchema.safeParse({
accounts: {
main: {
connectionMode: "webhook",
appId: "cli_main",
appSecret: "secret_main", // pragma: allowlist secret
},
},
});
expect(result.success).toBe(false);
if (!result.success) {
expect(
result.error.issues.some(
(issue) => issue.path.join(".") === "accounts.main.verificationToken",
),
).toBe(true);
}
});
it("rejects account webhook mode without encryptKey", () => {
const result = FeishuConfigSchema.safeParse({
accounts: {
main: {
connectionMode: "webhook",
verificationToken: "token_main",
appId: "cli_main",
appSecret: "secret_main", // pragma: allowlist secret
},
},
});
expect(result.success).toBe(false);
if (!result.success) {
expect(
result.error.issues.some((issue) => issue.path.join(".") === "accounts.main.encryptKey"),
).toBe(true);
}
});
it("accepts account webhook mode inheriting top-level verificationToken and encryptKey", () => {
const result = FeishuConfigSchema.safeParse({
verificationToken: "token_top",
encryptKey: "encrypt_top",
accounts: {
main: {
connectionMode: "webhook",
appId: "cli_main",
appSecret: "secret_main", // pragma: allowlist secret
},
},
});
expect(result.success).toBe(true);
});
it("accepts SecretRef verificationToken in webhook mode", () => {
const result = FeishuConfigSchema.safeParse({
connectionMode: "webhook",
verificationToken: {
source: "env",
provider: "default",
id: "FEISHU_VERIFICATION_TOKEN",
},
encryptKey: "encrypt_top",
appId: "cli_top",
appSecret: {
source: "env",
provider: "default",
id: "FEISHU_APP_SECRET",
},
});
expect(result.success).toBe(true);
});
it("accepts SecretRef encryptKey in webhook mode", () => {
const result = FeishuConfigSchema.safeParse({
connectionMode: "webhook",
verificationToken: {
source: "env",
provider: "default",
id: "FEISHU_VERIFICATION_TOKEN",
},
encryptKey: {
source: "env",
provider: "default",
id: "FEISHU_ENCRYPT_KEY",
},
appId: "cli_top",
appSecret: {
source: "env",
provider: "default",
id: "FEISHU_APP_SECRET",
},
});
expect(result.success).toBe(true);
});
});
describe("FeishuConfigSchema replyInThread", () => {
it("accepts replyInThread at top level", () => {
const result = FeishuConfigSchema.parse({ replyInThread: "enabled" });
expect(result.replyInThread).toBe("enabled");
});
it("defaults replyInThread to undefined when not set", () => {
const result = FeishuConfigSchema.parse({});
expect(result.replyInThread).toBeUndefined();
});
it("rejects invalid replyInThread value", () => {
const result = FeishuConfigSchema.safeParse({ replyInThread: "always" });
expect(result.success).toBe(false);
});
it("accepts replyInThread in group config", () => {
const result = FeishuGroupSchema.parse({ replyInThread: "enabled" });
expect(result.replyInThread).toBe("enabled");
});
it("accepts replyInThread in account config", () => {
const result = FeishuConfigSchema.parse({
accounts: {
main: { replyInThread: "enabled" },
},
});
expect(result.accounts?.main?.replyInThread).toBe("enabled");
});
});
describe("FeishuConfigSchema optimization flags", () => {
it("defaults top-level typingIndicator and resolveSenderNames to true", () => {
const result = FeishuConfigSchema.parse({});
expect(result.typingIndicator).toBe(true);
expect(result.resolveSenderNames).toBe(true);
});
it("accepts account-level optimization flags", () => {
const result = FeishuConfigSchema.parse({
accounts: {
main: {
typingIndicator: false,
resolveSenderNames: false,
},
},
});
expect(result.accounts?.main?.typingIndicator).toBe(false);
expect(result.accounts?.main?.resolveSenderNames).toBe(false);
});
});
describe("FeishuConfigSchema defaultAccount", () => {
it("accepts defaultAccount when it matches an account key", () => {
const result = FeishuConfigSchema.safeParse({
defaultAccount: "router-d",
accounts: {
"router-d": { appId: "cli_router", appSecret: "secret_router" }, // pragma: allowlist secret
},
});
expect(result.success).toBe(true);
});
it("rejects defaultAccount when it does not match an account key", () => {
const result = FeishuConfigSchema.safeParse({
defaultAccount: "router-d",
accounts: {
backup: { appId: "cli_backup", appSecret: "secret_backup" }, // pragma: allowlist secret
},
});
expect(result.success).toBe(false);
if (!result.success) {
expect(result.error.issues.some((issue) => issue.path.join(".") === "defaultAccount")).toBe(
true,
);
}
});
});
Reference in New Issue View Git Blame Copy Permalink